I read a Forbes article today with an interesting message: manage cybersecurity the way you would manage risk. I could put this another way: manage cybersecurity with a Finance mindset. How does treating cybersecurity like a risk problem differ from treating cybersecurity like an IT problem? I am glad you asked!
You Can Manage Cybersecurity. You Cannot Solve Cybersecurity.
Who does not like the satisfaction of crossing an item off your To Do list? Well, that’s done. Next! We like to think about IT projects that way: as problems to be solved. Cybersecurity does not fit that model. You do not “solve” cybersecurity because it is not one “thing.” You can solve this cybersecurity problem but rest assured, there will be another one to take its place.
You manage cybersecurity risk. OK, what does that mean, exactly? It means that you make tradeoffs. You balance the cost of closing a cybersecurity gap with the expected benefit of doing so. Your approach is to reduce the risk of cybersecurity incidents to an acceptable level. You are trying to manage cybersecurity risk, not eliminate it.
Think About Your Cyber Defense Portfolio
Finance people understand the need to invest. Let me share a story. Back in my product days, we would annually put an R&D budget together. Our proposition was this: “For a given amount of investment, we will (eventually) deliver product that generates this amount of return.” The Finance people would run a sensitivity analysis on the numbers. What if Dan is a year late delivering the product? What if demand is half of what he projects? Twice what he projects? Once FInance completed this analysis, they had a metric they could use to compare different investments. They could then allocate investment to the projects with the highest expected rate of return. How? Start with the highest rated project. Keep going until you spend all the investment.
Finance could have taken this approach. But they took a portfolio approach instead. Finance invested in a portfolio of projects. Some were “sure thing” projects that would not shatter any sales records, but you could pretty much count on the money. Other projects were “fliers” that had much higher risk but also much higher potential returns.
Finance hedged their bets. They did not put all the investment on the sure thing. At the same time, they did not put everything on the risky project either. They selected a portfolio of projects that would, in the aggregate, deliver the best likely return on investment.
Think Like a Finance Manager
Allow me to translate this to the IT world. We start by looking at each cyber defense project we are considering. We ask:
- What are the costs to implement this project? Which costs happen once? Which costs are incurred every year?
- Does this project depend on some other project being completed to deliver its benefits?
- What benefits do we expect from this project? How does it make our cybersecurity stronger? Can we quantify these benefits?
- How much will this project reduce our cybersecurity risk?
- Can we afford to go forward with this project? Can we afford not to?
Remember Your Biggest Cost
I have often said, “there is no single SKU (stock-keeping unit) for cybersecurity.” What I mean is that there is no one product you can purchase that will “solve” your cybersecurity issues. Why is this true? Because you have multiple issues, not just one.Also, the cybersecurity market is fragmented, with players solving specific problems. Other than hiring a Managed Security Services Provider, there is no one check you can write that will completely manage cybersecurity.
Remember that your biggest cost is labor—the folks working for you who will have to implement whatever security measures you choose to adopt. Yes, automation is taking place. And it is true that there are promising developments in machine learning. The fact remains, however, that your most critical need is for a person to evaluate the cybersecurity alerts being generated. Someone must chase down the signals and determine which are false positives. For the true positives, someone must investigate, determine what happened, and develop a remediation strategy. That “someone” likely has other responsibilities. So, how much time can you realistically expect them to devote to cybersecurity?
As you evaluate your next cybersecurity project, ask yourself: what staff time will be needed to make this work? Can I devote that time? Can I outsource the people work to another organization? Do I trust that organization? I especially see this with organizations setting up alerting systems. Alerts are great if they are examined and resolved. Otherwise, alerts just generate more “alert fatigue” and provide a false sense of security.
Find the Cybersecurity Risk Level That is Right for Your Organization
As you manage cybersecurity in your organization, start with the small investment/high impact projects.
- Get multi-factor authentication implemented.
- Train your users to recognize phishing messages.
- Get your computers and smart devices under management.
- Audit your security setup.
- Run some penetration tests.
These “basic” steps will help a lot. Now ask, “what would I need to do to move our cybersecurity risk to a higher level of safety?” What will it take to implement a data loss prevention program? Set up a SIEM?
The time will come when it makes sense to take on these high-value but complicated-to-deliver projects. Just ask whether that time is now or later.
Remember that managing cybersecurity is all about managing risk. It is about investing to reach a level of risk that the organization will find acceptable for now. Adopt this mindset and you will have an easier time sorting through your cybersecurity projects.